"Host_IDS_File_Tampering" IDS policy triggers filewatch event when C:\windows\temp folder altered is NOT configured to be monitored.
Monitoring %systemroot%\*.exe or %systemroot%\*.dll (as defined in the default "Host_IDS_File_Tampering" policy) will trigger events for c:\windows\temp\*.exe or c:\windows\temp\*.dll due to wildcard match.
SCSP is behaving as designed but the design can be improved.
The issue is planned to be addressed in the next major release of SCSP which can be some time away.
A workaround is to add %SystemRoot%\Temp to the "Ignore Files" option setting in the policy.
From testing, this issue is not specific to a particular version of Symantec Critical System Protection (SCSP).
Imported Document Id
This is machine translated content
Login to Subscribe
Please login to set up your
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Didn't find the article you were looking for? Try these resources.